If you manage Android phones or tablets for your company, educational institution, or healthcare environment, sooner or later you will encounter the kiosk mode or restricted accessIt's that special configuration where the device stops being a "normal" mobile phone and starts functioning almost like a dedicated machine: few apps, zero distractions, and everything very controlled.
When you try to implement it for the first time, especially with MDM solutions or Android Enterprise, doubts may arise: What policies need to be applied, why is the Settings app disappearing, how do I set the order of the applications, can I use only one browser like Chrome? In this article you will see, in detail and in clear language, how kiosk mode works in Android, what you need to configure it properly and what limitations you will encounter.
What is kiosk mode on Android and what is it used for?
Kiosk mode on Android is a way to run the device in a highly restricted, leaving only one or a few specific applications visible and blocking the rest of the system's functions. This is usually applied to corporate or shared-use equipment where the end user should not have free access to the phone or tablet.
In modern environments, this kiosk mode is managed through a solution of MDM (Mobile Device Management) or UEMwhich applies policies at the device level. These policies control which apps can be used, which hardware buttons work, which settings options are displayed, and how the home screen behaves.
When you talk about Android Enterprise, kiosk mode is usually associated with what are called dedicated devices (formerly known as COSU), designed for very specific use cases: point-of-sale terminals, information kiosks, check-in devices, digital signature tablets, etc.
Advantages of MDM-managed kiosk mode
One of the great advantages of using kiosk mode in conjunction with an MDM solution is that you can manage devices remotely from a central consoleThis allows you to configure, update, and monitor dozens or hundreds of devices without having to be physically present.
By limiting access to a very small set of apps, kiosk mode helps to strengthen corporate security and data protectionUsers cannot install third-party applications, browse freely, or access system functions that may pose a risk.
Another key advantage is improved productivity. By eliminating distractions and blocking everything unnecessary, the device becomes focused on a very specific task: registering patients, displaying a restaurant menu, signing documents, logging into a portaletc. All of this reduces errors, speeds up processes, and provides a much more consistent user experience.
From the MDM console you can also Monitor equipment usage, implement updated security policies, schedule app installations or updates and check if the devices comply with the standards set by the organization.
In which devices and sectors is kiosk mode used?
Kiosk mode can be applied to virtually any Android device managed through an Android Enterprise-compatible MDMIts use is especially common in companies with fleets of terminals, but also in public institutions and educational centers.
Use cases by sector
In the retail sector, the kiosk mode is perfect for Catalog tablets, stock inquiry screens, self-service terminals or loyalty points. The user only sees the corporate application that interests them and cannot interact with anything else.
In the hospitality industry, it is very common to use kiosk-mode devices for Digital menus, mobile POS systems, table ordering devices or self-service kiosks in fast food chains, preventing the customer from leaving the restaurant's app.
In healthcare, dedicated devices are often used for Patient management, check-in, consent signing, medical record consultation or internal communication among healthcare staff. Here, data security and privacy are critical, and kiosk mode helps minimize risks.
In education, kiosk mode allows you to configure Android tablets or laptops as devices for restricted academic useshowing only approved educational applications and preventing access to leisure apps or social networks that may distract students.
In all these cases, the key is that the special-purpose devices behave predictably, with a strict control over what they can and cannot do, and that can be managed centrally by the IT department or the service provider.
What do you need before setting up kiosk mode?
Before you start configuring kiosk mode, it's important to be clear about which components you'll be using and what your company's requirements are. Generally speaking, you'll need an MDM or UEM with Android Enterprise support that has kiosk functionalities or dedicated devices.
In addition to the MDM platform, you will need to define which applications will be allowed on the device, and how. uninstall apps remotely if necessary. This includes the proprietary corporate apps, third-party applications such as browsers (for example, Google Chrome) and, if you want, some administration or support tool.
In some scenarios, a specific home screen application or managed launcher is used, such as the Microsoft Managed Home Screen When you work with Microsoft Intune, this type of app acts as a "layer" between Android and the user, showing only authorized apps on a controlled desktop.
It is also advisable to prepare the policy structure in advance: what system restrictions you want to apply, what Which hardware buttons will you disable, what settings can users access? and how the device will be updated or maintained over time.
How does kiosk mode work on an MDM platform?
Android Kiosk Mode, when managed with MDM, works by applying device-level policiesThese policies tell the system which features to block and what behavior the launcher or home screen should have.
Among the most common policies are those that They restrict applications, system navigation, hardware buttons, and settings.For example, you can prevent access to the notification bar, prevent the user from installing new apps, or block the use of the camera if it is not needed.
The administrators They manage all of this remotely, from a MDM centralized consoleThere, configuration profiles are created, single-application or multi-application kiosk modes are defined, and these profiles are assigned to the desired device groups.
Some manufacturers, such as Sony with Enterprise API level 9 or later, have specific settings for the volume buttons. If you disable any of the options... increase volume, decrease volume, or mute volume In kiosk mode, all the volume buttons on the device are actually disabled.
Single App Kiosk vs Multi App Kiosk on Android
Within the world of kiosks on Android, two main approaches are usually distinguished: the Single App Kiosk mode and the Multi App Kiosk mode. Choosing one or the other depends entirely on the use case.
In single-application mode, the device starts up and remains locked in a single appA typical example is a tablet that displays only a registration form or a website for logging into a system. The user cannot switch to other applications or go to the home screen.
In multi-app mode, you can allow them to be available several specific apps, which are displayed on a controlled home screenThis is what is usually done when the device has several functions: for example, a medical records app, a secure browser for specific queries, and a remote support tool.
Some platforms, such as Intune, allow combining the use of a managed launcher, such as Microsoft Managed Home Screen, with a Multi-app kiosk profile that defines the order and visibility of appsThis creates a highly guided user experience, with the icons always in the same place.
How to set up kiosk mode on Android with Intune and Android Enterprise
In the Android Enterprise scenario with Intune, it is common to work with dedicated devices for environments such as healthcareThe goal is to display only the necessary applications, in a specific order and without distractions. The process has several layers that are important to understand.
One common way to do this is to create a Intune device restriction policy and, within it, enable a multi-app kiosk. In this kiosk, you define which apps are allowed and in what order you want them to be displayed.
After that, it is usually necessary to deploy the application Microsoft Managed Home Screen to the device, setting it as the default home screen. This app will be responsible for displaying only authorized applications and hiding the rest of the Android system.
In addition to the restriction policy, you will often have to apply a specific application configuration policy for Managed Home ScreenThis policy introduces JSON code that defines, among other things, the order in which apps appear on the desktop and other behavior settings.
If you don't include that JSON configuration in the application policy, you might The apps are not displaying correctly on the home screeneven if they are permitted under the device's kiosk policy. Therefore, in many cases, it is necessary to align what is defined in the restriction policy with what is configured in the application's policy.
This raises the question of whether it's mandatory to duplicate the app order configuration in both policies. In practice, The correct method usually involves defining the set of apps and kiosk mode in the restriction policy. and then use the application policy (with JSON) to fine-tune the order and visual layout within Microsoft Managed Home Screen.
Using Google Chrome in single-application kiosk mode
Another very typical case in Intune is wanting to use Google Chrome in single-application kiosk modeso that the device only serves to access a specific website that acts as a login screen or main portal.
To do this, Google Chrome is downloaded and installed on the device and a Device configuration profile with Single App Kiosk mode enabledby choosing Chrome as the blocked application. The goal is that, when the user turns on the device, they can only use that browser.
If Chrome doesn't actually set it as the only app when you try to configure it, it's usually because Additional adjustments are needed in the kiosk policy or in the profile assignment, or the necessary restrictions to prevent the user from accessing the rest of the system have not been properly applied.
It is also possible to combine this with browser configuration policies so that Chrome open a specific URL directly, block the address bar, or limit browsing to certain domainsThus, the single-app kiosk offers exactly the controlled experience you want.
Show or hide the Settings app in kiosk mode
One of the recurring questions when starting to use kiosk mode is why The Android Settings app disappears from the deviceIn most tightly controlled kiosk setups, this is by design, so that the user cannot modify the system settings.
In many business scenarios, allowing the user access to the settings would be a problem, because it could disable WiFi, change accounts, modify profiles or even try to exit kiosk mode. That's why MDMs tend to completely hide the Settings app when the device is in kiosk mode.
During the testing or initial deployment phase, it may be helpful for you, as the administrator, to be able to Access device settings while the kiosk is activeDepending on the MDM solution, there may be options to allow limited adjustments or to temporarily unlock the kiosk with an administrator PIN.
However, in many cases it's not possible to display the Settings app as just another app within the kiosk, precisely because it's located in contrary to the objective of keeping the device completely under controlIt is common practice that, when the deployment goes into production, it is accepted that the end user will not have access to those settings.
Detailed configuration of settings in kiosk mode
Once kiosk mode is activated in your MDM, you can adjust various parameters to tailor the device's behavior to your use case. This includes deciding what actions enabled by the physical power and volume buttons, whether notifications are displayed and whether certain system panels can be opened.
For example, you can define how the power button responds: whether it allows you to turn off the device, restart it, or if it simply locks and unlocks the screen. In a public kiosk, this might be of interest. restrict the user's ability to turn off the device as much as possible.to prevent a customer from leaving the terminal inoperative.
You can also decide whether to display the following during kiosk mode Notifications appear in the status bar or are completely hidden.In some environments, notifications can be a distraction, while in others they may be necessary for operational alerts or critical messages.
In general, these options are adjusted from the kiosk mode policy itself or from advanced device configuration profiles within the MDM. It is advisable to thoroughly test changes on a test team before applying the same policy to the entire fleet.
Device features you can disable in kiosk mode
A key aspect for a kiosk to be truly effective is deciding what device functions will be disabledIf you leave too many features active, you run the risk that the user could escape the controlled environment.
Many MDMs allow granular disabling of options such as Allow Start button, Allow Task Manager, Volume keys, Navigation bar and other elements. If you don't disable any of these features, kiosk mode will be more of a mild limitation, but the user will still be able to exit the app or use the device almost normally.
To achieve a "real" or strict kiosk mode, it is recommended, at a minimum, disable the Start button and access to the task managerThis prevents the user from switching apps, forcing closures, or navigating the system outside of permitted areas.
For Sony devices with Enterprise API level 9 or higher, disabling any of the volume options (up, down, or mute) will disable them. Press all volume buttons togetherThese types of manufacturer specifications should be taken into account when designing the kiosk profile.
How to access and exit kiosk mode
Once kiosk mode is configured and the corresponding profile is assigned, using it from the user's perspective is usually very simple: Simply turn on the device as usualDepending on the settings marked in the MDM, allowed applications are either launched automatically or displayed on a restricted home screen.
If a single-app kiosk has been configured, the designated app (for example, Chrome pointing to a specific website) will open as soon as the device is turned on, and the user You won't see any app menus or the typical Android home screen.In a multi-application kiosk, only the allowed icons will appear in the established order.
Exiting kiosk mode, however, is usually restricted to administrators or authorized personnel. Depending on the MDM, this can be done by entering a special PIN or password, a key combination, or by removing the kiosk profile from the administration console for that device.
In testing or support environments, it's a good idea to thoroughly document the internal procedures for unlock the kiosk when changes, manual updates, or diagnostics are neededThis prevents technicians from getting stuck due to their own configuration.
MDM solutions with kiosk mode support
Today, almost all serious mobile device management solutions include some type of kiosk mode or dedicated device profile for AndroidThis is closely tied to the capabilities of Android Enterprise and the support offered by each MDM manufacturer.
Among the most common platforms are tools that allow configure, apply policies, restrict functions and monitor the use of terminals centrally. Each one offers its own kiosk configuration interface and may have slight differences in nomenclature and options.
When choosing an MDM for your kiosk project, it's worth carefully reviewing what application control options, hardware buttons, and system settings It offers, how it integrates with Android Enterprise, and whether it has specific documentation for dedicated device or kiosk scenarios.
It is also interesting to consider whether MDM allows manage different types of platforms (Android, iOS, Windows, etc.) from the same console, especially if your organization uses a diverse fleet of devices and not just Android.
Kiosk mode in Android, properly configured via an MDM and supported by Android Enterprise, turns a standard mobile phone or tablet into a specialized, safe and distraction-free deviceUnderstanding the differences between a single-app and multi-app kiosk, properly adjusting policies (including the use of managed launchers and JSON configurations when appropriate), and deciding which hardware features to disable will allow you to offer your users a stable and consistent experience while maintaining full control from within your IT department.